What 'Material' Might Mean, and Other SEC Rule Mysteries

How can a CISO know if a cybersecurity incident is "material," and is that even the CISO's job? Forrester principal analyst Jeff Pollard explains this and other lessons learned after one year of living with the Securities and Exchange Commission's Cybersecurity Rule.

Sara Peters, Editor-in-Chief, InformationWeek

December 9, 2024

18 Min View

Dec. 15 will mark one year since the Securities and Exchange Commission began enforcing its landmark rule mandating that publicly traded companies disclose "material" cyber incidents. One year in, what have CISOs learned about defining "the 'm' word," and other unforeseen surprises?

Forrester principal analyst Jeff Pollard Pollard will dig into this in detail at the 2024 Forrester Security and Risk Summit Dec. 9 - 11 in Baltimore and online in a session called “A CISO's Life Preserver for SEC Disclosure Requirements” Wednesday, Dec. 11. He gave InformationWeek a preview of that session, explaining a bit about what CISOs ought to know about materiality. (Good news: it's less than you think.)

Read more about:

About the Author

Sara Peters

Sara Peters

Editor-in-Chief, InformationWeek , InformationWeek

A journalist for over 20 years, Sara Peters has spent most of her career covering cybersecurity and enterprise IT, with a dash of basketball on the side. Before joining InformationWeek, she was senior editor at Dark Reading and a featured NBA columnist for Bleacher Report.

See more from Sara Peters

You May Also Like

More Insights

Webinars

The CIO’s Guide to IT Automation in 2025: Enabling Innovation & Efficiency

Reports